>
>> and if the DSA wants to chain as B:
>> chainedRequest originator=Y request={
>> modifyRequest ... proxyAuthz=X
>> } proxyAuthz=B
>
> Just to make sure I got you: "originator" would play a sort of "native"
> proxyAuthz for the chainedRequest. So the players on the ground are:
>
> - the identity of the chaining DSA, A
> - the identity A wants to proxyAuthz as, B
> - the identity of the DUA that initiated the request, Y
> - the identity Y wanted to proxyAuthz as, X
>
Moreover, if the chained DSA needs to further chain the request, it would
contact yet another chained DSA using its own chaining identity (A'),
eventually quthorizing as its own authz chaining identity (B'); so the
chainedRequest would be rewritten as
bindRequest name=A'
chainedRequest originator=Y request={
modifyRequest ... proxyAuthz=X
} proxyAuthz=B'
since it's to trust originator=Y because the request was received from a
"trusted" chaining DSA that authenticated as A, i.e. an identity that is
given the privilege to chain requests.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------